[Esapi-user] SideJacking Question
jim.manico at owasp.org
Wed May 25 12:06:55 EDT 2011
An AJAX request is no different that other requests. Just make sure sensitive data is part of a SSL POST payload instead of in GET parameters.
On May 25, 2011, at 5:47 PM, "Lukas, Ray" <Ray.Lukas at supermedia.com> wrote:
> I am new, very new, so...
> Sidejacking, roughly defined as stealing someone's authenticated session object, thereby stealing their identity.
> Solution is to never send the Session through anything that is not an SSL channel. In ESAPI, if I have this right, you say ESAPI.httpUtilities().assertSecureChannel();
> Now (at last) The Question:
> Sessions can also be transmitted by Ajax requests, right, so... Does this help me with that as well..?
> Thanks guys.. I am still reading and learning.. but you got my attention at least..
> Esapi-user mailing list
> Esapi-user at lists.owasp.org
More information about the Esapi-user